Standards & Methodology
Every check WebAuditFix runs is grounded in a published standard — an EU directive, a GDPR article, an OWASP Top 10 category, an IETF RFC, a W3C spec, or Google's documented Search Central guidance. We don't invent rules; we test for compliance with the ones that already exist. This page lists the standards in plain language, and the full check-to-article mapping is at the bottom for auditors who want to verify line-by-line.
Security — 17 checks
Our security checks map to the OWASP Top 10 (2021) and the IETF / W3C transport- and content-security specifications. They cover HTTP-response hygiene observable from the public surface; they are not a substitute for penetration testing or a code-level audit.
- OWASP Top 10 (2021) — A02 (Cryptographic Failures), A04 (Insecure Design), A05 (Security Misconfiguration), A07 (Identification & Authentication Failures). owasp.org/Top10
- RFC 6797 — HTTP Strict Transport Security (HSTS). datatracker.ietf.org/doc/html/rfc6797
- RFC 7034 — HTTP Header Field X-Frame-Options. datatracker.ietf.org/doc/html/rfc7034
- RFC 6265 — HTTP State Management Mechanism (cookies, Secure / HttpOnly / SameSite). datatracker.ietf.org/doc/html/rfc6265
- RFC 9116 — A File Format to Aid in the Coordinated Disclosure of Vulnerabilities (
security.txt). datatracker.ietf.org/doc/html/rfc9116 - W3C Content Security Policy Level 3. w3.org/TR/CSP3
- W3C Subresource Integrity. w3.org/TR/SRI
- W3C Referrer Policy. w3.org/TR/referrer-policy
- W3C Permissions Policy. w3.org/TR/permissions-policy
GDPR / Privacy — 10 scored checks + 1 informational
Our GDPR checks reference the operative articles of the EU General Data
Protection Regulation and the ePrivacy Directive, plus the EDPB's published
guidance on consent — the consolidated standard for "what a compliant
cookie banner actually looks like." We're transparent about what HTML
alone can verify (presence of a consent platform) and what it cannot
(runtime tag-blocking) — see gdpr.consent_layer_verified.
- Regulation (EU) 2016/679 (GDPR) — operative articles we cite: Art. 5(1)(e), Art. 7, Art. 13, Art. 14, Art. 28(3), Art. 32. eur-lex.europa.eu/eli/reg/2016/679/oj
- Directive 2002/58/EC (ePrivacy Directive), as transposed in Ireland by S.I. No. 336/2011. eur-lex.europa.eu/eli/dir/2002/58/oj
- EDPB Guidelines 03/2022 on Deceptive Design Patterns in Social Media Platform Interfaces and EDPB cookie-banner guidance (2023) — sets the "Reject must be as easy as Accept" baseline. edpb.europa.eu
- Irish ePrivacy Regulations 2011 (S.I. No. 336/2011) — domestic implementation of the ePrivacy Directive that applies to our buyers operating in Ireland.
NIS2 hygiene — 12 checks
The NIS2 Directive (in force across the EU from October 2024) requires "essential" and "important" entities to take "appropriate and proportionate" technical, operational, and organisational measures. Article 21(2) enumerates ten measure categories; our checks map to the publicly-observable slices — transport security, header hygiene, vulnerability-disclosure contact, supply-chain (SRI), availability hints.
- Directive (EU) 2022/2555 (NIS2) — operative sub-paragraphs we cite: Art. 21(2)(a), (d), (f), (j). eur-lex.europa.eu/eli/dir/2022/2555/oj
- National Cyber Security Bill 2024 (Ireland's transposition of NIS2) — domestic-law layer for Irish buyers.
- RFC 9116 — security.txt format for the Art. 21(2)(j) vulnerability-handling obligation.
Technical SEO — 11 checks
Our technical SEO checks reflect the documented, public guidance that Google Search Central + Bing Webmaster + the W3C / WHATWG publish — not speculation, not "Moz best practices," not paid SEO-tool heuristics. If a check fires here, you'll find a documented Google or W3C standard explaining why.
- Google Search Central documentation — canonical URLs, sitemap protocol, robots.txt handling, HTTPS as a ranking signal, structured-data guidance. developers.google.com/search/docs
- RFC 9309 — Robots Exclusion Protocol (the canonical robots.txt spec). datatracker.ietf.org/doc/html/rfc9309
- Sitemaps.org protocol — sitemap.xml format (Google / Yahoo / Microsoft joint specification, 2008). sitemaps.org
- schema.org vocabulary — structured-data types and properties. schema.org
- Open Graph Protocol — original spec (Facebook 2010) + de-facto cross-platform adoption (LinkedIn, X/Twitter Cards, Slack unfurls). ogp.me
Full check-to-article mapping (51 rows — every check we run, every standard it cites)
| Check ID | Check | References |
|---|---|---|
| Security | ||
| security.cache_control_homepage | Cache-Control on the homepage | OWASP A04 |
| security.cookie_flags | Cookie Secure / HttpOnly / SameSite | GDPR Art. 32 OWASP A07 RFC 6265 |
| security.corp_coop_coep | Cross-Origin policies (COOP / COEP / CORP) | OWASP A05 |
| security.cors_wildcard | CORS Access-Control-Allow-Origin not wildcard | OWASP A05 |
| security.csp | Content-Security-Policy present | NIS2 Art. 21(2)(a) OWASP A05 |
| security.csp_quality | CSP quality (no unsafe-inline / wildcards) | NIS2 Art. 21(2)(a) OWASP A05 |
| security.hsts | Strict-Transport-Security | NIS2 Art. 21(2)(a) OWASP A02 RFC 6797 |
| security.hsts_preload | HSTS preload eligibility | NIS2 Art. 21(2)(a) OWASP A02 |
| security.https_enforced | HTTPS enforced (HTTP → HTTPS redirect) | NIS2 Art. 21(2)(a) OWASP A02 |
| security.mixed_content | Mixed-content avoidance | OWASP A02 |
| security.permissions_policy | Permissions-Policy | OWASP A05 |
| security.referrer_policy | Referrer-Policy | OWASP A04 |
| security.security_txt | /.well-known/security.txt | NIS2 Art. 21(2)(j) RFC 9116 |
| security.server_header | Server header information disclosure | OWASP A05 |
| security.x_content_type | X-Content-Type-Options nosniff | OWASP A05 |
| security.x_frame_options | X-Frame-Options / frame-ancestors | OWASP A05 RFC 7034 |
| security.x_powered_by | X-Powered-By absent / generic | OWASP A05 |
| GDPR / Privacy | ||
| gdpr.analytics_consent_gated | Analytics gated behind consent | GDPR Art. 7 |
| gdpr.consent_layer_verified | Cookie consent — runtime verification (informational) | GDPR Art. 7 ePrivacy Directive |
| gdpr.contact_email_exposed | Contact email — role addresses only | GDPR Art. 14 |
| gdpr.cookie_consent | Consent management platform detected | GDPR Art. 7 ePrivacy Directive |
| gdpr.cookie_policy | Cookie policy linked | GDPR Art. 13 ePrivacy Directive |
| gdpr.data_controller | Data controller identified | GDPR Art. 13(1)(a) |
| gdpr.dpa_link | Data processing addendum referenced | GDPR Art. 28(3) |
| gdpr.forms_notice | Form privacy notice present | GDPR Art. 13 |
| gdpr.privacy_policy | Privacy policy linked | GDPR Art. 13 + Art. 14 |
| gdpr.retention | Retention statement present | GDPR Art. 5(1)(e) |
| gdpr.rights_mentioned | Data-subject rights mentioned | GDPR Art. 13(2)(b) |
| NIS2 hygiene | ||
| nis2.contact_page | Contact / vulnerability-report page reachable | NIS2 Art. 21(2)(j) |
| nis2.csp | Content-Security-Policy (NIS2 technical measure) | NIS2 Art. 21(2)(a) |
| nis2.hsts | Strict-Transport-Security (NIS2 technical measure) | NIS2 Art. 21(2)(a) |
| nis2.https_enforced | HTTPS enforced (NIS2 transport security) | NIS2 Art. 21(2)(a) |
| nis2.privacy_policy | Privacy policy (NIS2 information sharing) | GDPR Art. 13 NIS2 Art. 21(2)(f) |
| nis2.referrer_policy | Referrer-Policy (NIS2 technical measure) | NIS2 Art. 21(2)(a) |
| nis2.security_txt | Vulnerability disclosure contact (security.txt) | NIS2 Art. 21(2)(j) RFC 9116 |
| nis2.security_txt_expires | security.txt Expires field fresh | NIS2 Art. 21(2)(j) RFC 9116 |
| nis2.server_disclosure | Server-version disclosure (NIS2 information minimisation) | NIS2 Art. 21(2)(a) |
| nis2.sitemap | Sitemap.xml (availability signal) | NIS2 Art. 21(2)(a) |
| nis2.subresource_integrity | Subresource Integrity (NIS2 supply-chain) | NIS2 Art. 21(2)(d) |
| nis2.x_content_type | X-Content-Type-Options (NIS2 technical measure) | NIS2 Art. 21(2)(a) |
| Technical SEO | ||
| tech.canonical | <link rel=canonical> present | — |
| tech.https_for_indexing | HTTPS as Google ranking signal | — |
| tech.meta_description | <meta name=description> present | — |
| tech.noindex_check | Indexing not blocked by robots / X-Robots-Tag | — |
| tech.og_tags | Open Graph tags present | — |
| tech.robots_present | robots.txt reachable | — |
| tech.robots_valid | robots.txt syntactically valid | — |
| tech.schema_org | schema.org JSON-LD present | — |
| tech.schema_org_type | schema.org primary type valid | — |
| tech.sitemap | sitemap.xml reachable | — |
| tech.sitemap_in_robots | Sitemap URL declared in robots.txt | — |
What this means in practice
A clean WebAuditFix report is necessary-but-not-sufficient evidence of compliance. Our checks cover the publicly-observable surface — response headers, on-page markup, well-known files. They cannot tell you whether your offline policies are followed, whether your incident-response runbook works, whether your processors have a valid DPA on file, or whether you actually trained your staff. Those are the next layer; an automated scanner cannot reach them.
Every finding in the Premium PDF carries the article / RFC / OWASP category it maps to (see your most recent report if you have one) so an auditor reviewing your posture can verify our methodology against the same source documents we link above.